LiquidationPool::distributeFees() should not distribute fees to pending stakers as this makes the protocol vulnerable to frontrunning
Summary
Protocol fees should not be distributed to pending staking positions. This makes the protocol vulnerable to frontrunning attacks.
Vulnerability Details
Here is a potential attacker scenario:
An attacker monitors the EUROs balance in the poolManager and at a certain point, when a large amount of fees have been accumulated, the attacker stacks a large amount of TST/EUROs tokens and calls the public distributeFees() function in the poolManager
The staked tokens are pending, but nevertheless, they are eligible for fee distribution
After only 1 day (when the stake becomes non-pending), the attacker removes all funds from the pool
This puts long-term stakers at a disadvantage
Impact
Encourages short-term staking and risk of frontrunning fee distribution events.
Tools Used
Manual Review
Recommendations
Delete the following code in the distributeFees() function in order to prevent pending stakers to benefit from fee distributions:
Also, the pending staking limit of 1 day in the consolidatePendingStakes() function seems a bit short and should maybe be increased. This parameter should be configurable by the protocol owner via a setter function:
Add a new state variable to the contract:
Add a setter function:
Use the state variable in the consolidatePendingStakes() function:
Lead Judging Commences
frontrun-distrubutefees
frontrun-feedist-low
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.